►
From YouTube: End Users Working Group (March 2, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1KQalBRzfRBvsqh73JUYfp1KG-AJdXcv2Z8LTIFoQP8c
A
F
E
D
E
B
D
B
B
So
good
morning,
everyone
we've
got
an
agenda
to
go
through
first
of
all,
As
traditional
is
there
anyone
who
could
act
as
scribe
for
us
today
and,
as
is
traditional,
thank
you
very
much
Dan
for
your
continued
efforts
to
to
keep
us
in
in
sync,
with
the
appropriate
scribing
best
in
the
industry,
not
even
his
day.
Job.
H
B
J
I
am
a
new
friend
hi
Oh
yay,
hey
crops
clapping.
For
me,
my
name
is
Jessica
I
work
at
Intel
I'm,
the
director
of
the
open
source
program
office-
and
this
is
my.
This
is
my
first
time
attending
an
open,
ssf
working
group
meeting
but
I'm
interested
in
getting
to
know
you
all
and
sharing
with
you,
some
stuff
that
that
my
team
has
been
working
on.
J
B
B
So
a
couple
of
things
to
to
go
through,
and
then
we
have
any
other
business
and
any
other
notes
from
different
working
groups,
but
starting
off
with
a
couple
of
notes.
There's
the
ossf
Summit
in
Vancouver
in
May,
just
really
sort
of
raising
for
people's
awareness
more
than
anything
else,
but
also
you
know
is-
is
there
interest
in
getting
together
as
an
end
User
Group?
Whilst
people
are
out
there
or
first
of
all,
are
people
going?
I
am
three
four
four
and
a
half.
B
Cool
yeah
great
cool
I,
tried
to
do
that
in
London,
with
the
recent
state
of
Open
Source
I've
got
a
couple
of
people
interested
there
as
well.
That
would
be
cool,
so
so
I
guess
part
of
it
was
the
sort
of
notification
and
and
partners
sort
of
whip
up
initial
interest
in
maybe
getting
people
together,
for
perhaps
the
birds
of
a
feather
session
or
just
a
face-to-face
meeting,
certainly
drinks,
and
you
know
I-
guess
we'll
we'll
bring
it
back
up
as
we
get
closer
to
it.
A
B
B
It
looks
like
it's
got
quite
quite
a
lot
of
quite
a
lot
to
it.
I
mean
there's
it's
quite
a
detailed
document
and
I
think
it's
got
a
lot
of
ramifications
to
end
users,
particularly,
and
it's
quite
potent
and
I
think
to
this
group.
So
raising
again
for
information
purposes.
I
did
have
a
link
that
was
passed
on
to
me
there,
but
I
don't
have
a
link
to
the
actual
document
itself.
A
B
E
D
D
D
B
Green,
so
I
I
think
that
is
probably,
as
people
start
to
digest
it.
We
should
I
mean
I.
Think
it'd
probably
be
another
good
topic
to
bring
up
next
week.
Some
of
the
ramifications
of
that
how
we
see
that
affecting
end
user
groups,
the
work
that
we're
doing
and
maybe
there's
worthwhile
getting
getting
together
and
figuring
out.
You
know
strategy
to
address
those
issues.
B
A
Should
I
think
wrap
in
the
whole
EU
CRA
into
that
also
because
in
in
essence,
it's
going
to
be
doing
exactly
the
same
thing
right
by
by
requiring
people
who
produce
or
sell
to
go
put
their
software
through
a
series
of
tests
to
provide
a
guaranteed
five-year
SLA
those
types
of
activities.
So
it's
going
to
do
the
same
thing
in
effect,
I
think
well,.
K
I
big
big
picture
to
drive
action,
I
think
so.
I
think.
The
strategy,
though,
is
a
much
better
way
to
approach
than
what
the
CRA
was
doing.
Of
course,
the
devil
will
be
in
the
details
of
how
the
implementation
comes
out,
but
I
think
I
think
the
approach
is
different
and
basically
that
the
summary
for
those
that
haven't
read
it
I
mean
there's
a
lot
in
there.
K
But
the
part
that
is
most
relevant
to
software
is
they're
basically
saying
we
want
to
change
contract
law
so
that
Euless
can't
as
a
first
step
disclaim
all
liability
we're
going
to
take
that
away,
and
you
have
to
earn
that
back
by
following
certain
Safe
Harbor
Steps,
which
would
be
defined
by
practices
may
be
defined
here,
also
within
cisa
right
and
so,
as
opposed
to
just
letting
everybody
do
whatever
and
have
no
downsides.
You
have
to
earn
that
back
and
there's
a
similar
set
of
words
for
people
who
I
think
they
call
them.
K
Not
data
custodians,
that's
right,
and
it's
a
similar
thing.
So,
basically
the
point
being
you're
going
to
be
held
responsible
if
you're
negligent
in
leaking
data
and
or
shipping
software.
That
has
problems
and
you
didn't
follow
best
practices
which
is
I,
think
a
very
different
approach
than
what
the
CRA
was
trying
to
do.
D
A
K
K
G
G
Yeah
they
can
reach
into
any
contract
and
change
it
and
if
they
think
the
public
is
served
by
it
and
I've,
usually
sort
of
given
that
warning
in
the
context
of
like
a
hypothetical
where
something
very
catastrophic
happens
and
legislatures
just
freak
out
and
and
upset
the
whole
thing
or
something
else,
I
was
going
to
say.
But
it's
Escape
me
now.
B
D
B
K
The
the
last
page
page
37
talks
about
the
implementation
and-
and
you
know,
there's
there's
a
lot
of
words
there
and
you
know
I've
had
time
to
think
about
this,
because
I
I
was
invited
to
see
an
early
draft
of
this
about
six
weeks
ago
and
in
my
mind,
I
think.
The
way
this
plays
out
is
there
will
be
a
number
of
different
initiatives.
You
know
because
they're
talking
about
software
liability,
they're
talking
about
cyber
Insurance,
there's
iot
there's
a
lot
in
this
big
picture,
but
I
think
what
happens.
K
B
B
All
right,
definitely
one
I
think
that's
going
to
be
a
big
Focus
for
a
lot
of
people,
so
some
some
good
reading
ahead
I
think
maybe,
as
people
read
through
it,
it
might
be
useful
to
start
putting
commentary
into
the
slack
Channel
I
know
we
don't
use
the
slack
channel
that
as
much
or
that
much
at
all
really
but
I.
Think
there's
gonna
be
a
lot
of
activity
over
the
next
couple
of
days
in
a
week
or
so,
rather
than
waiting
till
the
next
two
weeks
to
actually
discuss
it.
B
A
Think
that'd
be
helpful.
I
also
want
to
mention
one
thing:
while
we're
talking
about
this
I,
don't
know
how
many
of
you
are
planning
on
attending
the
pub
the
open,
ssf
public
policy
meeting
tomorrow
morning
that
is
going
to
so
there
is
a
period
There's
an
opportunity
now
for
us
to
submit
potential
amendments
to
the
CRA
and
the
public
policy
meeting
being
led
by
Intel
is
driving
this
activity,
and
so
they've
scheduled
I
think
a
90-minute
two-hour
meeting
tomorrow
morning
for
people
to
have
input
into
how
these.
D
A
A
L
A
I
B
A
Yeah
so
a
couple
of
things,
but
first
off
came
to
be
stepping
down
or,
as
the
vice
chair
of
the
end
user
working
group,
I
still
want
to
be
very
involved.
In
fact,
I'd
really
like
to
kind
of
Drive
membership
to
this
group.
The
reason
I'm.
Stepping
down
is
as
we
get
as,
as
this
group
has
matured
and
we're
beginning
to
get
to
into
developing
more
and
more
content.
I
simply
don't
have
the
cyber
security
background.
A
I
have
the
open
source
background
I've
been
an
open
source
for
over
20
years,
but
I
don't
have
the
cyber
security
background
and
don't
have
the
domain
expertise
to
contribute
to
a
lot
of
this
content.
So
I
think
this
group
deserves
someone
who
has
much
deeper
cyber
security
experience
to
drive
this
I
I
think
I
really
think
it
should
be
an
end
user,
given
the
the
the
nature
of
the
group,
but
I
wanted
to
throw
that
and
throw
that
out
there
I
do
want
to
throw
my
a
name
in
the
ring
here.
A
Someone
who
I've
seen
be
very
active,
but
it
doesn't
need
to
be
open.
I
think
Jack
could
be
a
great
number.
Two
for
this
for
this
group,
and
so
I
but
I
did
want
to
let
people
know
I'm,
not
stepping
down
from
the
group
I'm
really
I.
Just
I
would
like
to
frankly
focus
on
I,
think
I
can
add
value
on
around
driving
more
membership,
so
that's
kind
of
where
I'm
at.
B
Pretty
cool
thanks,
well,
I,
I!
Think,
as
you
say,
it
needs
to
be
open,
I
mean
so
I'd,
second,
that
for
Jack
good
man
you're,
you
know
I,
think
you
you've
been
here,
for
instance
in
the
very
beginning
and
huge
contribution
to
the
work
we're
doing
around
and
user
group
and
open
source
in
general,
so
I
definitely
second,
that
anyone
else.
B
B
B
G
G
G
B
A
So
I
think
we
need
to
continue
to
to
recruit
new
new
members
to
this
group.
It's
always
good
to
have
new
new
blood
new
opinions,
New
Perspectives
people
who
can
actually
contribute
I
think
we
still
need
to
focus
on
obviously
on
end
end
users
I've
begun
to
build
a
pipeline
of
people.
I
want
to
want
to
reach
out
to
at
groups
who
at
end
users
who
who
are
members
yet
such
as
Uber
and
Boeing,
and
JP,
Morgan
and
and
entities
like
that.
A
A
We
need
to
broaden
that
I
think
and
maybe
in
EU
participants,
so
I'll
put
together
and
I'm
happy
to
to
have
people
work
with
me
and,
in
fact
need
others
to
participate
in
this
process
and
think
about
who
they
knew
know
and
who
they
can
help
us
reach
out
to,
but
happy
to
start
putting
together
a
list
of
targets
for
us
to
reach
out
to
I
think
we
should
use
the
Vancouver
event
as
as
a
recruiting
opportunity.
I
think
there'll
be
when
I.
A
B
Yeah
great
one,
I
I
think
it's
really
positive.
We've
got
21
people
on
the
call
right
now,
so
there's
a
lot
of
people,
a
lot
of
interest
and
I
I.
Think
Andrew.
You
and
I
have
talked
to
many
many
others
and
a
lot
of
people
are
in
the
background
trying
to
feed
information
into
here
and
taking
the
sort
of
a
Content
way,
not
necessarily
A,
join
the
group.
H
D
B
Really
good,
actually
thinking
about
that
so
do
I
I
talked
to
them
and
they
have
expressed
interest
to
join,
but
haven't
followed
up
on
that.
So
maybe
you
and
I
also
you
can
double
check
yeah,
let's
yeah,
all
good
fantastic!
Thank
you
right.
Next
item
on
the
agenda:
an
open
source,
consumption
Manifesto,
so
it's
some
work
that
I've
been
very
interested
in
seeing
from
from
suggested
from
Brian.
But
Brian.
Do
you
want
to
take
it
away?
Give
an
intro.
K
But
back
in
November
or
so
I
I
dragged
Jeff
weyman
into
this.
To
help
me
actually
put
some
words
from
the
thoughts
combining
a
white
paper
that
Jonathan
had
written
and
and
leaning
heavily
on
some
of
the
learnings
that
came
out
of
the
Tahoe
event
that
many
of
you
were
at
in
in
the
all-day
board,
meeting
I
kind
of
got
on
the
soapbox
a
little
bit
and
said
you
know
we're
we're
all
talking
about
these
really
hard
to
solve
problems.
K
But
you
know
our
data
shows
that
96
of
the
time
people
just
make
bad
choices
because
they're,
the
the
fixed
version
is
already
out
there
and
so
talking
about
better
tools
and
better
education.
And
all
these
things,
while
important
for
my
data,
is
focused
on
solving
four
percent
of
the
problem
and
there
seemed
to
be
a
a
group
of
people.
K
That
kind
of
that
message
resonated
with,
and
so
we
were
trying
to
put
together
kind
of
a
a
cyber
sort
of
hyperbolic
call
to
action
to
sort
of
re-level
the
the
focus
a
bit
that
everybody
is
focused
on
this
four
percent
of
the
problem.
Can
we
shout
a
little
bit
to
try
to
get
people
to
focus
on
if
we
can
get
consumers
to
make
better
choices?
K
Now
they
can
solve
a
big
part
of
this
this
problem
and
it
doesn't
take
decades
for
the
next
generation
of
Engineers
to
come
along
and
for
everything
to
migrate
to
memory
safety
and
better
tooling,
like
literally,
if
people
stopped
downloading
the
vulnerable
version
of
log
per
J.
Today
that
matters
and
I
looked
I
haven't
looked
today,
but
last
week
that
number
was
still
at
29
of
the
time
people
are
consuming
the
log4j
thing
and
we're
now
what
14
15
months
passed.
K
K
Much
like
we
were
saying
about
the
cyber
security
strategy.
It's
a
call
to
action,
not
a
specification
and
a
list
of
every
single.
Damn
thing
that
you
need
to
do.
Those
things
are
being
defined
elsewhere,
like
salsa
and
c2cf.
I
think
we
just
want
to
highlight
this.
This
growing
problem
for
people.
So
that's
what
we're
trying
to
do
with
the
manifesto.
B
Yeah,
just
just
just
to
really
add
to
that
right,
I
mean
it
was
quite.
It
was
quite
interesting
to
see
I
put
together
a
threat
model
of
a
sample
architecture
and
subsequently
we're
building
on
that
with
with
Henrik
and
the
rest
of
the
group
and
as
I
sort
of
Applied
like
the
last
seven
years
worth
of
exploit
data
in
a
fairly
abstract
fashion
and
Enrique
has
highlighted
that's
the
wrong
way
to
do
it,
and
you
should
use
a
taxonomy,
so
I've
learned
from
that.
B
But
you
know
identified
where
the
attacks
are
actually
coming
and
and
would
I.
You
know
present
themselves
to
the
architecture
in
and
realized.
There
is
a
huge
amount
of
that
on
the
consumption
part.
So,
whilst
is
Brian's
saying
we're
looking
at
really
looking
at
supply
chain
and
software
security
holistically,
there's
a
massive
outweighed
value
and
focus
on
that
consumption
piece
from
an
end
user
perspective
and
what
I'm
trying
to
do
what
I've
been
trying
to
do
is
try
to
get
that
message
out.
B
Talk
to
other
Industries
Enterprises
participants
just
to
see
just
just
make
people
aware
of
that
and
and
get
people
to
start
to
look
at
how
to
mitigate
that
particular
issue.
You
know,
as
Brian's,
saying,
there's
lots
of
different
things
that
we're
trying
to
do
here
as
a
group
in
as
other
industry
participants,
but
that
one
seems
to
be
one:
that's
really
super
super
important
and
and
Brian.
C
D
K
Technology
exist
to
solve
this
problem,
and
sonotype
has
been
selling
it
for
10
plus
years
and
we're
not
the
only
one.
The
problem
is
organizations
we're
completely
ignoring
this
and
unprepared.
When
log4j
happened,
we
had
customers
who
remediated
their
entire
portfolio
of
tens
of
thousands
of
applications
in
days
and
then
the
rest
of
the
world
was
freaking
out
for
months,
just
trying
to
figure
out
where
we
use
log4j.
That's
kind
of
the
point
of
this
Manifesto.
Is
that,
like
you,
need
to
take
control
of
your
supply
chain
and
pay
attention
to?
F
B
I
I
think
that's
kind
of
separate
I
think
my
view
sure
is
is
yeah.
You
can
see
that
as
potentially
a
risk,
but
this
the
the
Manifest
is
more
focusing
on
in
in
consumption
of
Open,
Source
software
and
known
vulnerable
or
malicious,
looking
open
source
software
and
getting
vendors
on,
and
consumers
of
that
software
to
at
least
start
to
look
and
put
the
shields
up
in
whatever
way.
That's
possible,
there's
multiple
different
technical
ways
of
doing
so,
but
sort
of
put
that
up.
B
D
J
Great,
thank
you
actually
I'm,
really
interested
in
this,
because
I've
been
working
on
something
and
I've
actually
shared
with
some
of
the
people
on
this
call.
That
has
a
tentative
working
title
of
a
secure
software
Covenant.
But
it
is
it's
partially
about
the
consumption
of
Open
Source
software,
but
it's
really
about
the
consumption
of
any
software
and
about
the
production
of
software,
and
so
I
was
wondering.
D
K
Spoke
to
Aaron
about
that
on
Friday,
because
I
knew
that
there
was
some
stuff
overlapping
there,
but
the
way
I
kind
of
think
about
it
is
sort
of
the
manifesto
is
kind
of
calling
for
Action
in
one
under
discussed
area.
The
Covenant
is
a
follow-up
to
that
that
would
that
balances
across
the
whole
thing.
So
the
manifesto
is
kind
of
saying
we
need
to
do
some
things
about
this.
K
E
J
K
B
I
mean
just
that
it's
like
as
soon
as
we
can
really
right,
but
I
mean
it
and
it's
awful
I
mean
you
know,
I,
don't
think
the
blame
as
well
here
right
is
we've
been
trying
to
do
this
for
six
solid
months.
It's
just
other
things
have
gotten
the
way
and
and
I
think
we've
iterated
it
quite
a
lot.
But
it's
really
at
the
point
now
just
to
get
that
extended
feedback
to
see
you
know.
B
Absolutely
complementary
to
that
and
I
do
think.
This
particular
working
group
would
be
a
great
next
step
for
the
Covenant
too
right.
So
you
know
it's
not
like.
This
is
one
and
done
for
the
discussion
around
the
the
consumption
Manifesto.
Let's
maybe
bring
it
up
and
show
people
now,
but
we'll
be
back
next
week
to
talk
about
it,
I'm
sure
and
let's
talk
about
the
Covenant
also
at
the
same
time,
okay,.
B
B
M
So
I
think
this
is
a
a
fantastic
idea.
One
comment
I
have
because
what-
or
maybe
it's
just
to
say,
I
hope
we
take
some
time
with
this,
because
I
think
this
is
a
great
opportunity
to
not
just
talk
about
what
we
see
but
also,
what's
on
the
horizon.
I
think
that
we
have
an
opportunity
to
make
some
make
some
predictions
here,
whether
for
good
bad
or
for
for
good,
bad
or
or
indifference.
M
Some
predictions
that'll
that'll
help
us
forecast
issues
to
come,
otherwise
would
just
continuously
talking
about
the
same
wheel,
a
thousand
different
ways.
You
need
to
talk
about
how
that
wheel,
expands
different
spokes,
all
kinds
of
stuff,
I'm
more
than
willing
to
jump
into
the
conversation
and
put
my
two
cents
in
there
too.
M
Just
because
all
the
work
that
we're
doing
across
the
openness
and
stuff
and
I
mean
all
the
work
that
we're
doing
we're
doing
some
fantastic
things
and
we're
and
we're
getting
as
creative
as
possible,
but
I
think
this
stuff
that
happens
here
can
kind
of
tie
all
that
together.
If
we're
expanding
our
thoughts
and
it's
really
synthesizing
all
the
information
we're
taking
in
to
produce
something,
that's
that
can
live
and
breathe
for
years
come
something
that's
scalable
for
years
to
come.
M
So
that's
just
the
only
the
only
thing
I
want
to
throw
in
there
then
to
make
sure
that
when
we're
doing
this
is
not
quick
this
this,
this
type
of
Manifesto
can't
be
quick
because
we're
gonna,
we
have
the
potential
to
say
some
things
that
we
can
5
10
15
years
out,
say
hey!
This
could
happen
if
we
know,
if
we
don't
do
this
and
this
this
can
happen
right.
So
that's
something
I
want
to
throw
out
there.
Let's
take
our
time
with
it,.
M
H
H
H
Having
been
involved
with
a
couple
of
other
technology,
manifestos
I
think
it's
valuable
to
put
a
stake
in
the
ground,
even
if
we
don't
feel
it's
completely
finished
to,
especially
if
we
want
to
be
making
the
point
that
openssf
can
be
a
great
place
to
build
these
standards
and
technologies
that
can
be
that
can
address
the
issues
that
have
been
raised
in
the
public
policy
statement
that,
as
we
were
talking
about
earlier
than
I,
think
it
could
be
a
good
opportunity
to
draw
attention
to
to
that.
So
anyway,.
B
B
You
know
I,
think
you
know
feedback
from
Jay
in
that
there's
a
lot
of
sort
of
forward
thinking
that
makes
complete
sense.
There
I'm
just
I'm,
just
concerned
about
how
long
we
can
wait,
because
when
I'm
talking
to
a
lot
of
different
Enterprise,
there's
some
consumers
that
they're
not
they
think
not
a
lot
of
people
are
picking
up
in
this.
We
are
in
a
little
bubble
here,
right,
I.
B
Think
a
lot
of
people
here
are
totally
aware
of
this
sort
of
stuff,
and
you
reach
out
to
a
couple
of
people
on
ossf
and
absolutely
lots
of
head
snotting
and
stuff.
You
start
to
reach
out
a
little
bit
further
and
people
just
don't
seem
to
grok.
What's
going
on
or
see
what's
coming
at
them
or
appreciate
that
there
are
Technical
Solutions
that
they
can
start
building
now,
even
if
they
write
it
themselves
to
start
to
make
some
of
these
fixes?
So
it's
really
trying
to
really
raise
that
awareness.
N
I
well,
I,
agree,
I,
agree
with
everyone,
but
but
at
the
same
time,
for
instance,
the
I
was
part
of
writing
the
the
get
UPS
principles
and
we
made
sure
to
version
it.
So
you
know
the
the
ghetto's
principles
as
of
right
now
is
version
one
total
so
that
it
could
be
kind
of
like
a
Midway
point
of
actually
having
a
versioned
manifest
that
could
then
get
updated,
but
at
the
same
time
get
it
out
quickly.
K
Yeah,
so
thanks,
yeah,
I,
I,
I
I
think
the
versioning
is
a
great
idea
and
just
to
reinforce
what
Jonathan
said
in
reaction
to
Jay
like
I.
Look
at
this
as
more
of
like
a
single
single
issue,
Manifesto,
as
opposed
to
the
whole
thing
and
I
think
that
that
can
be
useful
because,
like
I
said,
we
feel
like
this
is
an
area
that
doesn't
get
enough
attention
and
trying
to
make
it
too
big
and
do
all
the
things
well
that
that's
perfect,
being
the
enemy
of
the
good
one
and
two
for
everybody.
D
K
Here,
which
is
nobody's
really
paying
enough
attention
to
this
issue?
So
let's
lean
hard
on
that
issue
and
not
make
it
look
like
it's
trying
to
be
the
Covenant
or
you
know,
salsa
or
S2
c2f,
and
all
these
other
things
I.
Think
we
being
hyperbolic
in
one
issue
like
I,
said
how
well
we're
just
trying
to
level
the
playing
field,
we're
not
trying
to
say
that
this
is
more
important
than
all
the
other
things.
We
are
saying,
though,
that
it
can
have
as
a
consumer
a
more
immediate
effect.
You
don't
have
to
wait
and.
D
K
I
and
I
got
to
this
line
of
thinking
slowly
over
a
long
period
of
time
and
then
all
at
once
and
talking
to
people
who
were
like
yeah
that
s-bomb
thing
I'm
waiting
for
the
industry
to
produce
s-bombs
for
all
of
my
dependencies
and
until
that
happens,
I
can't
do
anything
and
I'm
like
oh,
my
gosh.
Are
you
serious
like
there
are
lots
of
tools
that
can
do
that?
There
are
free
tools
that
can
help
you
do
this
waiting
for
the
world
to
solve.
G
Check
yeah,
yeah
I
think
it's
a
great
initiative.
I
was
wondering
how
how
open
are
you
to
sort
of
like
wordsmithing
suggestions
in
terms
of
it,
because
I
I
agree
that,
like
a
good
Manifesto
has
a
generous
dollop
of
hyperbole
and
you
know,
reaches
there's
a
speed
trading
expression
reach
for
the
marble
yeah
that
that
I
I
would
I
would
love
to
try
and
pour
on
I.
K
G
K
D
G
A
good
Manifesto
is
either
yeah
is
either
short
or
long
with
a
single
message
yeah
and
like
the
the
two,
the
two
ones
I
think
of
as
sort
of
classic
manifestos.
It's
the
agile
Manifesto,
which
is
just
for
sentences,
basically
with
some
some
puff
around
the
edges
and
the
common
Communist
Manifesto,
where
it's
just
sort
of
like
meant
to
you,
know
motivate
I'm,
not
a
don't
worry
it's.
It's
meant,
it's
meant
to
motivate
this
action
right
and
it
tells
its
message
simply
and
and
and
sort
of
eloquently.
B
Trying
to
reduce
those
the
principles
like
you
know,
think
you
know,
there's
a
real
focus
on
that
I
think
wordsmithing
again,
100,
sorry,
I,
think
I,
agree,
I,
think
when
it
gets
to
the
point
of
well
it'd,
look
better.
If
we
added
this
I
did
that,
then
we
started
a
step
in
a
different
version
territory.
But
absolutely
you
know,
let's
change
the
language
I
mean
yeah.
K
The
draft
of
the
blog
too
I,
don't
think
I,
don't
think
that's
linked
out
there,
but
that
helps
provide
more
context
and
I
think
we
were
trying
to
find
the
right
balance
of
putting
the
explanation
for
it,
mostly
in
a
different
document,
to
keep
the
manifesto
as
tight
as
we
could
I
don't
know
if
we
struck
the
exact
balance,
but
there
is
an
another
piece
with
more
behind
this.
That's
how
we're
trying
to
separate
it.
A
A
K
A
Outcome
it's
the
kind
of
the
formal
outcome
of
what
was
what
we
all
discussed
in
that
meeting,
so
I
would
think.
I'll
I
can
send
this
around
to
some
folks
after
the
after
the
the
board
meeting
I
think
it's
worth
it,
because,
because
I
think
that
the
man,
the
manifesto,
is
obviously
a
a
longer
term
view
or
document,
but
for
for
this
next
year
or
so
this
the
Sterling
tool
chain
is
going
to
be
the
focus
of
openssf
right
they're.
A
B
Let's
absolutely
take
a
look
at
it,
but
but
I
think
that
the
point,
because
you're
right
I,
think
we
need
to
focus
on
the
Sterling
tool
chain
is
like
one
of
the
driving
focuses
for
ssf
in
my
viewing
as
a
governing
board
member
right.
I.
Think
what
the
manifesto
is,
though,
is
that
I
I
think
to
believe
Brian's
point
a
little
of
all
the
things
that
you
need
to
look
at
from
a
consumer
that
that's
probably
one
that
should
be
pretty
high
up
on
your
list
to
provide
that
benefit
right.
K
Yeah
and
if
we're
not
careful
in
our
messaging,
then
that
example
I
gave
around
people
waiting
for
s-bombs
could
then
become
well
I'm
waiting
for
the
ossf
Sterling
tool
chain,
which
we
know
is
not
happening
tomorrow
and
in
the
meantime,
dot
dot
dot
I'm
just
going
to
keep
on
using
the
broken
versions.
I
have
right
now
like
that,
would
be
a
tragic
outcome
and
and
I
think
that's
the
difference.
So
I
think
we
yeah.
B
All
right
we've
had
the
the
time
check
appropriate
time
check.
That's
one
of
the
one
of
the
things
we
need
to
we
need
to
perhaps
have
is
a
formal
position
within
the
group.
A
time
check,
expert,
look,
I,
think,
there's
been
a
healthy
discussion
about
the
manifesto
and
to
make
sure
that
do
we
distribute
it'd
be
great
to
get
feedback
from
that.
B
B
So
if
you're
happy
to
take
people's
view
on
this,
but
I
was
going
to
jump
over
that
save
that
for
the
an
ad
hoc
section
and
look
at
additional
notes
from
other
working
groups.
Is
that
reasonable?
Do
we
think
yep
excellent,
all
right?
So
assuming
there
are
notes
from
other
working
groups,
I
think
there's
already
a
list.
That's
been
added
to
the
email
chain
here.
Is
anyone
getting
any
notes
from
other
working
groups?
I
Mine
I'll
go
quick.
We
are
in
the
process
of
a
Tac
election,
so
I
put
some
details
in
there.
First
off
any
participant
within
the
open.
Ssf
is
eligible
to
vote,
but
you
need
to
register,
takes
about
30
whole
seconds
and
you
need
a
GitHub
ID.
So
I
would
encourage
everyone
to
follow
the
voter
eligibility
self-nomination
form.
I
Anyone
is
welcome
to
self-nominate
for
the
attack
itself.
So
if
you
think
you
would
like
to
participate
in
helping
steer
the
technical
direction
of
the
foundation,
there
is
a
form
to
fill
that
out.
That
does
not
take
30
seconds.
You'll
need
to
do
a
little
homework
and
pre-work
before
you
fill
that
out,
but
yeah.
Everyone
is
welcome
to
do
that
and
then.
Thirdly,
there
is
a
concept
of
the
security
Community
individual
representative.
That
is
also
up
for
election.
I
So
if
anyone-
and
this
is
generally
a
person-
that's
not
affiliated
with
the
governing
board
organization,
but
anyone
that's
interested
in
being
that
you
know
Community
representative,
that
is
also
being
up
for
nomination
and
election.
So
please
fill
that
form
out
if
you're
interested
in
that
and
then
I
have
the
dates
of
when
everything's
going
to
execute.
So
we
need
to
get
the
voter
registration
done
by
March
12th
and
then
they
will
send
out
the
they're
going
to
validate
everyone.
I
I
I
And
then
my
other
item
is
an
action
item
for
Jonathan.
In
this
group,
the
end
user
working
group
gets
to
come
to
the
TAC
next
Tuesday
to
talk
about
all
the
amazing
progress
and
activities,
I
provided
a
link
to
the
template
that
we're
going
to
be
using
over
in
the
best
working
group
to
have.
We
also
we've
been
called
up
to
talk
so
feel
free
to
leverage
that
that's
the
format
the
tech
likes
to
see.
If
you
need
help,
let
me
know-
and
that
is.
B
B
G
Yeah,
just
a
quick
update
from
the
securing
software
repost
group.
We've
got
some
folks
who
put
up
their
hand
and
volunteered
to
prepare
the
the
sort
of
the
the
design
or
the
proposal
for
how
the
shared
repository
will
work
or
the
shed
like
metadata
and
samples
repository
that
we've
talked
about
in
this
group
and
other
groups.
So
SSR
is
taking
taking
point
on
that.
One
I
don't
have
a
fixed
timeline,
this
time,
everybody's
always
busy
as
We
Know
but
just
wanted
to.
Let
you
know
that
the
wheels
are
in
motion.
O
O
B
B
G
B
B
O
B
B
Not
at
all,
not
at
all,
we've
all
got
day
jobs,
many
many
day,
jobs
right
so
any
other
business
or
we
will
give
people
some
time
back
all
right.
So
a
couple
of
things
to
follow
up.
Everyone
I'm
sure,
is
going
to
read
that
document.
Let's
use
slack
to
feed
things
back,
have
a
great
end
of
the
week
and
weekend
and
thank.
H
You
very
much
and
sorry
just
to
clarify
on
the
manifesto
thing
it
it's.
The
document
I've
pasted
the
URL
to
that
document
in
the
minutes,
you're
looking
for
people
to
feedback
as
suggestions
or
comments
and
stuff
like
that.
This
is
current.
This
is
a
this
is
a
call
for
for
comments
from
this
group.
Yeah
yeah.
B
And
and
support
it's
not
just
a
commentary,
one
it's
a
yep
makes
sense
to
me.
I
would
support
that.
You
know
I,
don't
think.
We've
really
thought
about
how
we'd
track
that
necessarily,
maybe
you
know
a
comment
at
the
top
or
we
can
add
sort
of
signatories
at
the
bottom,
maybe
that
one
but
I
think
it's
really
a
course
of
support
as
well.
Does.